Spring Cleaning for Compliance Programs

by Matt Kelly on April 1st, 2019

Spring Cleaning for Compliance Programs

I live in New England, where warm temperatures don’t arrive until April is staring us in the face. Now that April is here and spring has arrived, it’s time to think about spring cleaning—which an ethics and compliance program needs just as much as your garage.

I define spring cleaning in three ways. First, what has become clutter we no longer use, that can be discarded? Second, what can be cleaned up and rearranged, so people can move through the whole house more easily? Third, can we open all the windows to let some fresh air breeze through the place?

Those concepts—discarding the unnecessary, rearranging to improve operations, providing some fresh air—apply just as easily to spring cleaning for your compliance program. Let’s consider examples for each one in turn.

Discarding the Unnecessary

Everyone loves annual risk assessments, to identify new risks facing the organization and strengthen our compliance processes as warranted. That’s good. Yet we often overlook a crucial companion to that exercise: discarding old policies and procedures that are obsolete or counterproductive.

Employment policies are a great example of this. We’ve seen numerous states in the last 18 months ban employment contracts that include non-disclosure agreements relating to sexual harassment complaints; others have new laws on asking about past salary history or offering paid leave.

So, does your organization have a policy management capability, to assure that no distant corner of the enterprise still uses outdated policies? Have you discarded ill-fitting policy language and streamlined policies that do exist?

Human resources issues aren’t the only field where discarding obsolete policies might arise. You might, for example, want to revisit anti-corruption training and certification for third parties. Does every third party need to take your complete anti-corruption training? Or might you let them attest to similar anti-corruption training they already undertake themselves, and only require training for any issues your training addresses but theirs doesn’t?

Each compliance function must find its own answers to such questions. It’s just important to ponder them regularly.

Rearranging to Improve Operations

Any parent can appreciate our next point about spring cleaning. You look around and wonder, “How did all these toys get into my house? Why are they all over the place?”

Now ask that same question about your cloud-based tech service providers, because they do the same thing without proper management: clutter your compliance function.

Just like toys, not all tech service providers are bad. Nor can you expect your employees (children) to live without them. The compliance department can, however, develop policies about how tech service providers are used, which employees should use them, and when employees can use them.

That rearrangement and organization are going to become increasingly important in the future. Even small organizations now routinely use dozens of third-party tech service vendors; at large organizations, that number soars into the thousands. Consolidating the number of tech vendors the compliance function works with is a great place to start. Seek vendors that provide multiple functionalities within the same tool to limit the number of vendors you are working with, among other benefits.

Compliance officers may need to talk with the “other parent” in this analogy, the IT security officer, to determine exactly what the tech vendor policies should be. But bringing stronger governance to technology third parties operating within your organization — that’s vital. Otherwise, the toys just keep piling up.

Providing Fresh Air

I start spring cleaning simply by opening the doors and windows, to flood the house with sunlight, warmth, and fresh air. It’s a moment to invigorate and re-energize myself, before getting on with whatever work needs doing.

Compliance officers should try to achieve something similar when preparing for a risk assessment or a review of your program: inviting people with fresh perspectives to take a look at how the compliance program operates now, and make recommendations on how the program might improve.

Many internal auditors do something similar when performing their own risk assessments. A hospital’s audit team might add nurses for a quarter; a bank’s audit team might borrow someone from the customer call center. Those are people working in the so-called First Line of Defense—and they know full well which internal controls do or don’t work for the risks the business truly has because they’re toiling in the firm’s operations every single day.

Now, most large businesses already have an in-house compliance committee of some kind, which often does include leaders from the First Line of Defense. My point is that compliance officers might sometimes consider adding a new voice onto that committee or asking the committee members’ subordinates to review their plans.

Let’s be honest: we’ve all had managers present plans to us from executives on high, where our first reaction was, “Well this will never work in the real world.” That’s what compliance officers want to avoid. So the more we can bring a fresh, practical perspective to the spring cleaning we want to do, the more efficiently we can get through those cleaning chores.

Then, at long last, we can put away the winter shovels and spend the weekend flying a kite.